• No results found

Lec 11 Security Models

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "Lec 11 Security Models"

Copied!
15
0
0

Loading.... (view fulltext now)

Download now ( 15 Page )

Full text

(1)
(2)

Basics

A security policy is a document that expresses clearly and concisely

what the protection mechanisms are to achieve. Its a statement of

the security we expect the system to enforce.

A security model is a specification of a security policy:

it describes the entities governed by the policy,

it states the rules that constitute the policy.

There are various types of security models:

Models can capture policies for confidentiality (Bell-LaPadula) or for integrity

(Biba, Clark-Wilson).

Some models apply to environments with static policies (Bell-LaPadula),

others consider dynamic changes of access rights (Chinese Wall).

Security models can be informal (Clark-Wilson), semi-formal, or

(3)

Basics Cont..

Model vs Policy

A security model maps the abstract goals of the policy to information

system terms by specifying explicit data structures and techniques that

are necessary to enforce the security policy. A security model is usually

represented in mathematics and analytical ideas, which are then mapped

to system specifications, and then developed by programmers through

programming code

For Example, if a security policy states that subjects need to be

authorized to access objects, the security model would provide the

mathematical relationships and formulas explaining how x can access y

only through the outlined specific methods

A security policy outlines goals without regard to how they will be

(4)

Lattice Models

A lattice is a mathematical construct that is built upon the

notion of a group.

A lattice is a mathematical construction with:

a set of elements

a partial ordering relation

the property that any two elements must have unique least

upper bound and greatest lower bound

A security lattice model combines multilevel and

multilateral security

(5)

State Machine Models

In state machine model, the state of a machine is captured in order to verify the

security of a system.

A given state consists of all current permissions and all current instances of

subjects accessing the objects. If the subject can access objects only by means

that are concurrent with the security policy, the system is secure.

The model is used to describe the behavior of a system to different inputs. It

provides mathematical constructs that represents sets (subjects, objects) and

sequences. When an object accepts an input , this modifies a state variable thus

transiting to a different state.

Implementation tips

– The developer must define what and where the state variables are.

– The developer must define a secure state for each state variable.

– Define and identify the allowable state transition functions.

(6)

Noninterference Models

The model ensures that any actions that take place at a

higher security level do not affect, or interfere with, actions

that take place at a lower level.

It is not concerned with the flow of data, but rather with

what a subject knows about the state of the system. So if

an entity at a higher security level performs an action, it

can not change the state for the entity at the lower level.

The model also addresses the inference attack that occurs

(7)

Bell—LaPadula Confidentiality Model

• It was the first mathematical model with a multilevel security policy that is used to define the concept of a secure state machine and models of access and outlined rules of access.

• It is a state m/c model that enforces the confidentiality aspects of access model.

• The model focuses on ensuring that the subjects with different clearances(top secret, secret, confidential) are properly authenticated by having the necessary security clearance , need to know , and formal access approval-before accessing an object that are under different

classification levels (top secret, secret, confidential). • The rules of Bell-Lapadula model

– Simple security rule (no read up rule): It states that a subject at a given security level can not read data that resides at a higher security level.

Star property rule ( no write down rule): It states that a subject in a given security level can not write information to a lower security levels.

• Strong star property rule: It states a subject that has read and write capabilities can only perform those functions at the same security level , nothing higher and nothing lower.

Tranquility principle : subjects and objects can not change their security levels once they have been instantiated (created).

(8)

Biba Integrity Model

It is developed after Bell – Lapadula model.

It addresses integrity of data unlike Bell – Lapadula which addresses

confidentiality.

It uses a lattice of integrity levels unlike Bell – Lapadula which uses a lattice

of security levels.

It is also an information flow model like the Bell – Lapadula because they

are most concerned about data flowing from one level to another.

The rules of Biba model

simple integrity rule(no read down) : it states that a subject can not read data from

a lower integrity level.

star integrity rule(no write up) : it states that a subject can not write data to an

object at a higher integrity level.

invocation property : it states that a subject can not invoke(call upon) a subject at a

(9)

Clark—Wilson Integrity Model

It was developed after Biba and addresses the integrity of information.

This model separates data into one subject that needs to be highly protected ,

referred to as a constrained data item(CDI)and another subset that does not

require high level of protection , referred to as unconstrained data items(UDI).

Components

Subjects (users): are active agents.

– Transformation procedures (TPs): the s/w procedures such as read, write, modify that perform the required operation on behalf of the subject (user).

Constrained data items (CDI): data that can be modified only by Tp’s.

– Unconstrained data items (UDI): data that can be manipulated by subjects via primitive read/write operations.

– Integrity verification procedure (IVP): programs that run periodically to check the consistency of CDIs with external reality. These integrity rules are usually defined by vendors.

Integrity goals of Clark – Wilson model

– Prevent unauthorized users from making modification (addressed by Biba model). – Separation of duties prevents authorized users from making improper modifications.

(10)

Access Control Matrix

This model addressed in access control.

(11)

Information Flow Models

• In this model, data is thought of as being held in individual discrete compartments. • Information is compartmentalized based on two factors.

– Classification and – Need to know

• The subjects clearance has to dominate the objects classification and the subjects security profile must contain the one of the categories listed in the object label, which enforces need to know.

• For example:

Bell – Lapadula which prevents information flowing from higher source level to lower source level. – Biba which prevents information flowing from lower integrity level to higher integrity level

Covert channels

• A covert channel is a way for an entity to receive information in an unauthorized manner. • It is an information flow that is not controlled by a security mechanism.

• It is an unauthorized communication path that is not protected by the system because it was uncovered while developing the system.

• Types of covert channels

Covert timing: in this channel, one process relays information to another by modulating its use of system resources.

(12)

Graham—Denning Model

This model defines a set of basic rights in terms of commands

that a specific subject can execute on an object.

It proposes the eight primitive protection rights, or rules of how

these types of functionalities should take place securely.

(13)

Harrison—Ruzzo—Ullman Model

The HRU security model (Harrison, Ruzzo, Ullman

model) is an operating system level computer

security model which deals with the integrity of

access rights in the system. The system is based

around the idea of a finite set of procedures being

available to edit the access rights of a subject s on

an object o.

The model also discussed the possibilities and

(14)

Brewer—Nash (Chinese Wall)

This model provides access controls that can change

dynamically depending upon a user’s previous actions.

The main goal of this model is to protect against

conflicts of interests by user’s access attempts.

It is based on the information flow model, where no

information can flow between subjects and objects in a

way that would result in a conflict of interest.

The model states that a subject can write to an object

(15)

Trusted Platform Module

(TPM)

Trusted Platform Module

(TPM) is an

international standard for a secure

cryptoprocessor, which is a dedicated

microcontroller designed to secure hardware

by integrating cryptographic keys into devices.

TPM's technical specification was written by a

computer industry consortium

References

Download now ( PPTX - 15 Page - 56.80 KB )

Related documents

A double-station meteor camera set-up in the Canary Islands – CILBO

On Tenerife, a spectral camera with an objective grating is mounted under an angle of 14 ◦ such that the first-order spectrum of meteors recorded by the zero-order camera is

Partnering to innovatively develop SA s human potential

Table 21: Rationale, lead departments and supporting partners for Goal Statement 4.5.. Skills Needs of the

COORDINATION AND LOCK-IN: COMPETITION WITH SWITCHING COSTS AND NETWORK EFFECTS

We saw in Section 2.4 that if firms cannot discriminate between old and new consumers, then the “fat cat” effect may make small scale entry very easy: incumbent firms’ desire to

Research Protocol Exploring the assessment and appraisal of regenerative medicines and cell therapy products

The Target Product Profile will include anticipated key clinical and cost outcomes compared to current standard of care (e.g. extension to length of life, quality of life, impact

Using HR metrics for maximum impact

The Shaping the Future research identifies measurement, assessment and evaluation – gathering information to assess the impact of actions and inform decision-making – as a

The Mediating Effects of Positive Psychological States on the Relationships Between Hindrance Stressors and Organizational Citizenship Behaviors: A Multi-Level Approach

Hypothesis 4b: Increased levels of organizational constraints aggregated to the unit-level (Level 2) will be associated with individual-level (Level 1) decreased supervisor-rated

The Reggio Emilia Approach: Resources to Help You Learn More About the Method

Summary: The inspiring stories presented here illustrate ways that early childhood values and practices have been sustained and promoted in elementary schools, exemplary